The Hacker News — Cyber Security, Hacking, Technology News

If you are using the Internet, there are the possibilities that you are open to attack.

The Transmission Control Protocol (TCP) implementation in all Linux systems deployed since 2012 (version 3.6 and above of the Linux kernel) poses a serious threat to Internet users, whether or not they use Linux directly.

This issue is troubling because Linux is used widely across the Internet, from web servers to Android smartphones, tablets, and smart TVs.

Researchers have uncovered a serious Internet flaw, which if exploited, could allow attackers to terminate or inject malware into unencrypted communication between any two vulnerable machines on the Internet.

The vulnerability could also be used to forcefully terminate HTTPS encrypted connections and downgrade the privacy of secure connections, as well as also threatens anonymity of Tor users by routing them to certain malicious relays.

The flaw actually resides in the design and implementation of the Request for Comments: 5961 (RFC 5961) – a relatively new Internet standard that's designed to make commonly used TCP more robust against hacking attacks.

TCP protocol is the heart of all Internet communications, as all application level protocols, including HTTP, FTP, SSH, Telnet, DNS, and SMTP, stand on TCP.

Web servers and other applications make use of TCP protocol to establish connections between hosts to transfer data between them.

A team of six security researchers from the University of California, Riverside and the U.S. Army Research Laboratory has demonstrated a proof-of-concept exploit at the USENIX Security Symposium that can be used to detect if two hosts are communicating over TCP and ultimately attack that traffic.

No Need of Man-in-the-Attack Position

Typically, TCP protocol assembles messages into a series of data packets that are identified by unique sequence numbers and transmitted to the receiver. When received, the data packets are then reassembled by the receiver into the original message.

Researchers found that 'Side channels' attack allows hackers to guess the TCP packet sequence numbers accurately within first 10 seconds of the attack by using no more information than just the IP addresses of both parties.

This means, an attacker with spoofed IP address does not need a man-in-the-middle (MITM) position, apparently intercepting and injecting malicious TCP packets between any two arbitrary machines on the Internet.

The researchers detailed their findings in the paper titled, 'Off-Path TCP Exploits: Global Rate Limit Considered Dangerous' [PDF], which they presented at the conference, showing the audience how they injected a phishing form inside the USA Today website.

You can watch the video demonstration above that shows the attack in work.

Targeting the Tor Network

The researchers also show how the flaw (CVE-2016-5696) can be exploited to break Secure Shell (SSH) connections and tamper with encrypted communications traveling over Tor anonymity network.

"In general, we believe that a DoS [Denial of Service] attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide," the paper reads.

"The default policy in Tor is that if a connection is down between two relay nodes, say a middle relay and an exit relay, the middle relay will pick a different exit relay to establish the next connection. If an attacker can dictate which connections are down (via reset attacks), then the attacker can potentially force the use of certain exit relays."

The team also provided recommendations on how to mitigate the attack.

Here's How to Mitigate TCP Attack

While patches to fix the vulnerability are developed and distributed for the current Linux kernel, as a workaround you can raise the ACK rate limit on your Linux machine or gadget to large values so that it cannot be reached.

For this, you are required to append the following to /etc/sysctl.conf:

net.ipv4.tcp_challenge_ack_limit = 999999999

Once done, use sysctl -p to activate the new rule. You need to perform root to do this.

The researchers also note that while Linux version 3.6 and above are vulnerable to this attack, Windows, OS X and FreeBSD are not believed to be vulnerable because they have not yet fully implemented RFC 5961.

If you think that the HTTP/2 protocol is more secure than the standard HTTP (Hypertext Transfer Protocol), then you might be wrong, as it took researchers just four months to discover four flaws in the HTTP/2 protocol.

HTTP/2 was launched properly just in May last year after Google bundled its SPDY project into HTTP/2 in February in an effort to speed up the loading of web pages as well as the browsing experience of the online users.

Now, security researchers from data center security vendor Imperva today at Black Hat conference revealed details on at least four high-profile vulnerabilities in HTTP/2 – a major revision of the HTTP network protocol that the today’s web is based on.

The vulnerabilities allow attackers to slow web servers by flooding them with innocent looking messages that carry a payload of gigabytes of data, putting the servers into infinite loops and even causing them to crash.

The HTTP/2 protocol can be divided into three layers:

The transmission layer that includes streams, frames and flow control

The HPACK binary encoding and compression protocol

The semantic layer – an enhanced version of HTTP/1.1 enriched with server-push capabilities.

The researchers took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2 and discovered exploitable flaws in all major HTTP/2 implementations, including two that are similar to well-known and widely exploited bugs in HTTP/1.x.

The four key vulnerabilities found in HTTP/2 include:

1. Slow Read (CVE-2016-1546)

This attack is identical to the well-known Slowloris DDoS (distributed denial-of-service) attack that major credit card processors experienced in 2010. The Slow Read attack calls on a malicious client to read responses very slowly.

The Slow Read attacks were well-studied in the HTTP/1.x ecosystem and they are still alive in the application layer of HTTP/2 implementations.

"The Imperva Defence Centre identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2," says Imperva.

2. HPACK Bomb (CVE-2016-1544, CVE-2016-2525)

HPACK Bomb is a compression layer attack that resembles a zip bomb attack or a 'decompression bomb'.

HPACK is used to reduce the size of packet headers. Basically, the sender can tell the receiver the maximum size of the header compression table used to decode the headers.

In this attack, a potential hacker creates small and innocent-looking messages that actually unpack into gigabytes of data on the server, thereby consuming all the server memory resources and effectively slowing down or crashing targeted systems.

Imperva created a header that was 4KB size -- the same size as the entire compression table. Then on the same connection, it opened up new streams with each stream that referred to the initial header as many times as possible (up to 16K of header references).

After sending 14 such streams, the connection consumed 896MB of server memory after decompression, which crashed the server, Imperva researchers explain.

3. Dependency Cycle Attack (CVE-2015-8659)

This attack leverages the flow control mechanisms that HTTP/2 uses for network optimization.

A bad intent client can use specially crafted requests to prompt a dependency cycle, thus forcing the server into an infinite loop.

The flaw could allow an attacker to cause Denial of Service (DoS) or even run arbitrary code on a vulnerable system.

4. Stream Multiplexing Abuse (CVE-2016-0150)

The attack allows an attacker to exploit vulnerabilities in the way servers implement the stream multiplexing functionality in order to crash the server. This attack eventually results in a denial of service (DoS) to legitimate users.

All the four vulnerabilities have already been fixed in HTTP/2, which is currently being used by some 85 Million websites, or around 9 percent of all websites, on the Internet, according to W3Techs.

"The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users. However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers."

"While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it’s hardly surprising. As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats."

The vulnerabilities took advantage of HTTP/2 features that were meant to reduce bandwidth use and round trips while speeding up the loading time of websites.

According to Imperva researchers, by implementing a web application firewall (WAF) with virtual patching capabilities can help enterprises to prevent their critical data and applications from cyber attack while introducing HTTP/2.

You can get more details of Imperva’s research in a report [PDF] dubbed "HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol."

OpenSSL has released a series of patches against six vulnerabilities, including a pair of high-severity flaws that could allow attackers to execute malicious code on a web server as well as decrypt HTTPS traffic.

OpenSSL is an open-source cryptographic library that is the most widely being used by a significant portion of the Internet services; to cryptographically protect their sensitive Web and e-mail traffic using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol.

One of the high-severity flaws, CVE-2016-2107, allows a man-in-the-middle attacker to initiate a "Padding Oracle Attack" that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.

The Padding Oracle flaw (exploit code) was discovered by Juraj Somorovsky using his own developed tool called TLS-Attacker, which allows developers to test their TLS servers with specific TLS messages.

The "OpenSSL Padding Oracle in AES-NI CBC MAC Check" exists in the cryptographic library since 2013, when OpenSSL patched another Padding Oracle flaw called Lucky 13 that compromised TLS cryptography.

"What we have learned from these bugs is that patching crypto libraries is a critical task and should be validated with positive as well as negative tests. For example, after rewriting parts of the CBC padding code, the TLS server must be tested for correct behaviour with invalid padding messages. I hope TLS-Attacker can once be used for such a task." Juraj said in a blog post.

The second high-severity bug, CVE-2016-2108, is a memory corruption flaw in the OpenSSL ASN.1standard for encoding, transmitting and decoding data that allows attackers to execute malicious code on the web server.

The vulnerability only affects OpenSSL versions prior to April 2015. Although the issue was fixed back in June 2015, the security impact of the update has now come to light.

According to OpenSSL, this flaw can potentially be exploited using maliciously-crafted digital certificates signed by trusted certificate authorities.

OpenSSL also patched four other low-severity vulnerabilities including two overflow vulnerabilities, one memory exhaustion issue and one low severity bug that resulted in arbitrary stack data being returned in the buffer.

You can find more technical details about the critical OpenSSL vulnerabilities on CloudFlare.

The security updates have been released for both OpenSSL versions 1.0.1 and 1.0.2 and administrators are advised to apply patches as soon as possible.

Let's Encrypt has achieved another big milestone by issuing 1 million free Transport Layer Security (TLS) SSL Certificates to webmasters who wish to secure the communications between their users and domains.

Let's Encrypt– operated by the Internet Security Research Group (ISRG) – is an absolutely free, and open source certificate authority recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer.

It is just three months and five days since Let's Encrypt launched a beta version of the service, and the group has crossed 1 Million certificates in use across the Web, Let's Encrypt said in a blog post on Tuesday.

Backed by companies including EFF, Akamai and Mozilla, the Let's Encrypt project started offering Free HTTPS certs to everyone from last December.

Let's Encrypt certificates are configured with cross-signatures from SSL cert provider IdenTrust, making its free certs trustworthy and allowing users to browse more securely on the Internet.

With Let's Encrypt, it is very easy for anyone to set up an HTTPS website in a few simple steps (Here's How to Install Free SSL Cert).Here's what Let's Encrypt says in its post:

"Much more work remains to be done before the Internet is free from insecure protocols, but this is substantial and rapid progress. It is clear that the cost and bureaucracy of obtaining certificates was forcing many websites to continue with the insecure HTTP protocol, long after we've known that HTTPS needs to be the default.

We're very proud to be seeing that change, and helping to create a future in which newly provisioned websites are automatically secure and encrypted."

So, now it's time for the Internet to take a significant step forward towards security and privacy. With Let's Encrypt, the team wants HTTPS becomes the default and to make that possible for everyone, it had built Let's Encrypt in such a way that it is easy to obtain and manage.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Next in the queue, Kazakhstan is also planning to Spy on encrypted Internet Traffic of its citizens, but in the most shameless way.

Unlike other spying nations that are themselves capable of spying on their citizens, Kazakhstan will force every internet user in the country to install bogus security certs on their PCs and mobile devices, allowing the 'Dictator' Government to:

Country-Wide "Superfish" Campaign

"The National Security Certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources," read the notice published by Kazakhtelecom at the beginning of this week.

This simply means:

The Government's shameless 'National Security certificate' program – most likely a root CA cert similar to those found in Lenovo's Superfish and Dell's Superfish 2.0 scandals – will target users' access to encrypted services that rely on Internet traffic being routed outside of Kazakhstan.

However, traffic between Servers located in Kazakhstan won't be affected.

The surveillance will begin from January 1; less than a month from now.

Let's Encrypt has opened to the public, allowing anyone to obtain Free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for their web servers and to set up HTTPS websites in a few simple steps (mentioned below).

Let's Encrypt – an initiative run by the Internet Security Research Group (ISRG) – is a new, free, and open certificate authority recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer.

The Free SSL Certification Authority is now in public beta after testing a trial among a select group of volunteers.

How to Renew Let's Encrypt Free SSL Certificate: It is important to note that the beta version of Let's Encrypt issues certificates that expire after 90 days. So, to renew your SSL certificate, you need to run the letsencrypt-autoscript again after expiration.

FREE HTTPS Certificates for Everyone!

So, now it's time for the Internet to take a significant step forward in terms of security and privacy. With Let's Encrypt, the team wants HTTPS becomes the default and to make that possible for everyone, it had built Let's Encrypt in such a way that it is easy to obtain and manage.

"There's a reward going for anyone who can find a security hole in the service," the team wrote in a blog post. "We have more work to do before we're comfortable dropping the beta label entirely, particularly on the client experience."

"Automation is a cornerstone of our strategy, and we need to make sure that the client works smoothly and reliably on a wide range of platforms. We'll be monitoring feedback from users closely, and making improvements as quickly as possible."

Let's Encrypt had signed its first free HTTPS certificate in September, and its client software emerged in early November. Since then the team has been finding flaws in their systems before going public.

At least, that's what CryptoPeak is saying to all big brands that utilize HTTPS on their web servers.

BIG Brands Sued for Using HTTPS: 'Patent Troll'

Texas-based company CryptoPeak Solutions LLC has filed 66 lawsuits against many big businesses in the US, claiming they have illegally used its patented encryption method – Elliptic Curve Cryptography (ECC) – on their HTTPS websites.

Elliptic Curve Cryptography (ECC) is a key exchange algorithm that is most widely used on websites secured with Transport Layer Security (TLS) to determine what symmetric keys are used during a session.

Encryption is on the rise after Edward Snowden made the world aware of government’s global surveillance programs. Today, many big tech and online services are using encryption to:

Protect the data transmitted to/from visitor to domain

Lessen the risk of hacking

However, websites using the ECC key are now at risk of being forced to court for using the protocol. As CryptoPeak snapped up the Patent (US Patent 6,202,150) that describes "Auto-Escrowable and Auto-Certifiable Cryptosystems," which the firm argues covers elliptic curve cryptography (ECC).

Either Pay or Don't Use HTTPS

The abstract of the US Patent 6,202,150 describes the invention, which was granted in 2001:

Companies Targeted by CryptoPeak

Some of the biggest names CryptoPeak Solutions sued include:

Yahoo

Netflix

Pinterest

AT&T

Sony

Groupon

GoPro

Etsy

Petco

Target

Costco

Home Depot

Expedia

Barnes & Noble

Multiple financial institutions and hotel chains

You can see the full list of lawsuits, which is available online here.

"Defendant has committed direct infringement by its actions that comprise using one or more sites that utilize Elliptic Curve Cryptography Cipher Suites for the Transport Layer Security (TLS) protocol (the Accused Instrumentalities)," according to the lawsuits.

CryptoPeak can easily be categorized as a "Patent Troll," as it is still unclear if the cases will be successful or not. Since the patent describes some of the key tenets of ECC, which includes generating and publishing of public keys, not obvious corresponds directly to its implementation in HTTPS connections.

Some companies targeted by the firm are fighting the lawsuit that seeks damages and royalties, and other like Scottrade are doing out of court settlements, saying"all matters in controversy between CryptoPeak and Scottrade have been settled, in principle."

Netflix, one of over 60 companies being dragged to court, called CryptoKey's lawsuit "invalid" from the outset and filed a case to be dismissed under FED. R. CIV. P. 12(B)(6).

"The defect in these claims is so glaring that CryptoPeak’s only choice is to request that the court overlooks the express words of the claims, construe the claims to read out certain language, or even correct the claims," Netflix said (PDF) in a court filing.

Millions of embedded devices, including home routers, modems, IP cameras, VoIP phones, are shareing the same hard-coded SSH (Secure Shell) cryptographic keys or HTTPS (HTTP Secure) server certificates that expose them to various types of malicious attacks.

A new analysis by IT security consultancy SEC Consult shows that the lazy manufacturers of the Internet of Things (IoTs) and Home Routers are reusing the same set of hard-coded cryptographic keys, leaving devices open to Hijacking.

In simple words, this means that if you are able to access one device remotely, you can possibly log into hundreds of thousands of other devices – including the devices from different manufacturers.

Re-Using Same Encryption Keys

In its survey of IoT devices, the company studied 4,000 embedded devices from 70 different hardware vendors, ranging from simple home routers to Internet gateway servers, and discovered that…

…over 580 unique private cryptographic keys for SSH and HTTPS are re-shared between multiple devices from the same vendor and even from the different vendors.

The most common use of these static keys are:

SSH host keys

X.509 HTTPS certificates

SSH host keys verify the identity of a device that runs an SSH server using a public-private key pair. If an attacker steals the device's SSH host private key, he/she can impersonate the device and trick the victim's computer to talk to his computer instead.

The same happens in the case of websites if an attacker gains access to the device's HTTPS private certificate, which is actually used to encrypt traffic between users and its Web-based management interface.

The attacker can then decrypt the traffic to extract usernames, passwords and other sensitive data with the help of device's HTTPS private key.

MILLLLLIONS of Devices Open to Attacks

When scanned the Internet for those 580 keys, the researchers found that at least 230 crypto keys are actively being used by more than 4 Million IoT devices.

Moreover, the researchers recovered around 150 HTTPS server certificates that are used by 3.2 Million devices, along with 80 SSH host keys that are used by at least 900,000 devices.

The remaining crypto keys might be used by various other devices that are not connected to the Internet, but could still be vulnerable to man-in-the-middle (MITM) attacks within their respective local area networks.

As a result, potentially Millions of Internet-connected devices can be logged into by attackers, or their HTTPS web server connections can silently be decrypted by MitM attackers, using these crypto keys and certs once they're extracted from their firmware.

Where Does the actual Problem Reside?

The issue lies in the way vendors build and deploy their products. Typically, the vendors built their device's firmware based on software development kits (SDKs) received from chipmakers…

…without even bothering to change the source code or even the keys or certificates that are already present in those SDKs.

There are many reasons why this large number of devices are accessible from the Internet via HTTPS and SSH. These include:

Insecure default configurations by vendors

Automatic port forwarding via UPnP

Provisioning by ISPs that configure their subscribers' devices for remote management

"The source of the keys is an interesting aspect. Some keys are only found in one product or several products in the same product line. In other cases we found the same keys in products from various vendors," Sec Consult wrote in its blog post.

List of Vendors that are Re-Using Encryption Keys

Although SEC Consult identified more than 900 vulnerable products from roughly 50 manufacturers, the actual number could be even higher considering that its study only targeted firmware the company had access to.

Most Affected Countries

Here's the list of Top 10 countries that are affected by SSH/HTTPS encryption key reuse:

United States

Mexico

Brazil

Spain

Colombia

Canada

China

Russian Federation

Taiwan

United Kingdom

SEC Consult has "worked together with CERT/CC to address this issue since early August 2015." and it recommends vendors to use securely random cryptographic keys for each IoT-capable device.

Moreover, ISPs are advised to make sure that there is no possibility to remotely access CPE (customer premises equipment) devices via WAN port. In case they need access for remote support purposes, "setting up a dedicated management VLAN with strict ACLs is recommended."

Cookies are small pieces of data sent from web sites to web browsers, which contains various information used to identify users, or store any information related to that particular website.

HTTPS Cookie Injection Vulnerability

Whenever a website (you have visited) wants to set a cookie in your browser, it passes a header named “Set-Cookie” with the parameter name, its value and some options, including cookie expiration time and domain name (for which it is valid).

It is also important to note that HTTP based websites does not encrypt the headers in any way, and to solve this issue websites use HTTPS cookies with "secure flag", which indicates that the cookies must be sent (from browser to server) over a secure HTTPS connection.

However, the researchers found that some major web browsers accept cookies via HTTPS, without even verifying the source of the HTTPS cookies (cookie forcing), allowing attackers with man-in-the-middle position on a plain-text HTTP browsing session to inject cookies that will be used for secure HTTPS encrypted sessions.

For an unprotected browser, an attacker can set HTTPS cookie masquerading as another site (example.com) and override the real HTTPS cookie in such a way that even the user might not realise it's a fake while looking through their cookie list.

Now, this malicious HTTPS cookie is controlled by the attacker, thus being able to intercept and grab private session information.

The issue was first revealed at the 24th USENIX Security Symposium in Washington in August when researchers presented their paper that said that cookie injection attacks are possible with major websites and popular open source applications including…

Affected Browsers:

The Affected major web browsers includes previous versions of:

Apple’s Safari

Mozilla’s Firefox

Google’s Chrome

Microsoft’s Internet Explorer

Microsoft’s Edge

Opera

However, the good news is that the vendors have now fixed the issue. So, if you want to protect yourself from this kind of cookie injection MitM (Man-in-the-Middle) attack vectors, upgrade to the latest versions of these web browsers.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Last fall the non-profit foundation EFF (Electronic Frontier Foundation) launched an initiative called Let's Encrypt that aimed at providing Free Digital Cryptographic Certificates (TLS) to any website that needs them.

Today, Let's Encrypt – a free automated Open-source Certificate Authority (CA) – has signed its first certificate, hitting what it calls a major milestone to encrypt all of the Web.

Let's Encrypt enables any Internet site to protect its users with free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates that encrypt all the data passed between a website and users.

Not just free, but the initiative also makes HTTPS implementation easier for any website or online shopping site owner in order to ensure the security of their customers' data.

"Forget about hours (or sometimes days) of muddling through complicated programming to set up encryption on a website, or yearly fees," EFF explains. "Let’s Encrypt puts security in the hands of site owners."

The first certificate signed by Let's Encrypt is currently available only to beta-testers though anyone can check out the CA's first certificate on the group's website, which is issued for helloworld.letsencrypt.org.

Once clicked, the above HTTPS link may direct you to an SSL certificate error. It's because your browser does not trust the certificate authority right now.

"Let's Encrypt has not yet been added as a trusted authority to the major browsers (that will be happening soon)," the site explains. "So for now, you'll need to add the ISRG root certificate yourself. Specifics will depend on your browser. In Firefox, just click the link."

Sign-Up Now for Participating

Website owners who are interested in the beta testing phase can sign-up and submit their domain names for consideration.

Though major browsers do not yet recognize the certificate as a trusted authority, the Let's Encrypt team is working with Google (for Chrome), Microsoft (for Edge), Apple (for Safari), and Mozilla (for Firefox) to make it happen.

So, if everything goes well, the certificate will soon be available for everyone to use by the end of November 2015.

Securing the Internet with Let's Encrypt

Let's Encrypt is an initiative run by the Internet Security Research Group (ISRG) and backed by the EFF, Mozilla, Cisco, and Akamai, among others.

Attention Please! System Administrator and anyone relying on OpenSSL should be prepared to switch to a new version of the open-source crypto library that will be released this Thursday 9th July.

OpenSSL is a widely used open-source software library that provides encrypted Internet connections using SSL/TLS for majority of websites, as well as other secure services.

The new versions of OpenSSL crypto library, versions 1.0.2d and 1.0.1p, address a single security vulnerability classified as "high severity," the OpenSSL Project Team announced on Monday.

There isn't more details about the mystery security vulnerability available yet, except for the fact that the security vulnerability doesn't affect the 1.0.0 or 0.9.8 series.

"The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p," developer Mark J Cox announced in a mailing list note published yesterday."These releases will be made available on 9th July. They will fix a single security defect classified as 'high' severity. This defect does not affect the 1.0.0 or 0.9.8 releases."

The announcement of the new variants of OpenSSL was made in the concisest fashion possible to prevent cyber attackers from exploiting the hole before the fix is released to the public.

Some security experts have speculated that this high severity bug could be another Heartbleed or POODLE bug that were considered to be the worst TLS/SSL vulnerabilities still believed to be affecting websites on Internet today.

Heartbleed, discovered in April last year, was a bug in an earlier version of OpenSSL that allowed hackers to read sensitive contents of victims' encrypted data, including credit card details and even steal crypto SSL keys from Internet servers or client software.

Months later, another critical flaw known as POODLE -- Padding Oracle On Downgraded Legacy Encryption -- was unearthed in the decade old but widely used SSL 3.0 cryptographic protocol that allowed attackers to decrypt the contents of encrypted connections.

However, a bunch of high severity vulnerabilities were fixed in March this year, which included denial-of-service (DoS) flaw (CVE-2015-0291) that allowed attackers to crash online services, and FREAK (CVE-2015-0204) that allowed attackers to force clients to use weaker encryption.

Let's Encrypt, a project aimed to provide free-of-charge and easier-to-implement way to obtain and use a digital cryptographic certificates (SSL/TLS) to secure HTTPS website, is looking forward to issue its first digital certificates next month.

With Let's Encrypt, any webmaster interested in implementing HTTPS for their services can get the certificates for free, which is a great move for encouraging people to encrypt their users’ connections to their websites.

Generally, the process of implementation of an SSL certificate, including the need to obtain and install a certificate, is complicated for most web developers as it sounds.

In most cases, the cost related issues force web administrators to give up on using encrypted connections.

However, the goal of the Let's Encrypt project is to simplify this certificate implementation process, meanwhile reducing the cost for operators by not needing them to pay for security.

"We will issue the first end entity certificates under our root under tightly controlled circumstances," the official announcement says. "No cross-signature will be in place yet, so the certificates will not validate unless our root is installed in client software."

The Let's Encrypt authority will soon provide browser-trusted certificates through a publicly documented API (Application Program Interface) that any webmaster or website owner can implement.

Informal tests conducted by the researchers showed that it often takes 1-3 hours for a webmaster to install a certificate.

Lets Encrypt is funded by the Internet Security Research Group (ISRG), a new California-based public-benefit corporation. The project is going to enter its soft-launch stage next month and will be available for the general public in September this year.

So, very soon a certificate can be obtained for free-of-cost. However, an extended validation (EV) SSL certificates can cost you up to $1,000 (approx. £640).

After facing much criticism for violation of Net Neutrality, Facebook has opened up its new Internet.org platform to developers for creating their apps and services in India and other countries.

Facebook's Internet.org aims at offering free Internet access to "the next 5 billion" impoverished people around the world who currently don't have it.

This current move now would potentially allow any website to be accessed for free via the Internet.org service, but only in the case, if the website ditches the encrypted communications (HTTPS), JavaScript, and other important things.

Internet for All:

However, in order to access the free Internet, users must have special Android apps, Internet.org's website, the Opera Mini web browser or Facebook's Android app.

Until now, the Internet.org scheme had been limited to a few number of websites and services, which include the Facebook, Wikipedia, BBC News, Accuweather, the Facts for Life health site run by the United Nations Children's Fund and some selected local news and sports results providers.

A number of companies in India pulled themselves out of Internet.org scheme as it directs online users toward a limited set of services.

But now, this scheme is widely open for all developers who can join what is being called the Internet.org Platform and create their services to be delivered through Internet.org.

However, it is not as simple as it sounds.

There are some limitations on what the developers can offer. The social media giant has set some rules and regulations, among those include:

No encrypted connections – Internet.org platform does not support HTTPS (SSL/TLS) as all the web traffic goes through internet.org proxy servers. So websites with encryption support are flat out rejected from the program.

Websites should not be data-intensive – Videos, high-resolution images and online voice chats and video chats are totally banned.

Websites must be able to run on both cheaper, as well as powerful smartphones – To ensure this, the use of JavaScript, HTTPS communications protocol, Flash files and certain other web-based products are also among the banned content.

The major issue with the platform remains. Internet.org turns out to be a privacy nightmare for users as the platform will not support encryption, which makes easier for anyone to snoop on the poor online users.

However, Zuckerberg commented on his Facebook status to reply a user that HTTPS via Internet.org is going to "happen soon."

Net Neutrality Violation:

The move comes just a few days after Mark Zuckerberg himself targeted for trampling all over Net Neutrality principles with his Internet.org scheme.

Many activists suggested that Zuck’s scheme of free Internet for all compromises the principles of Net Neutrality, as it supports access to some websites and apps over others.

However, Zuck said in an online video announcing the new Internet.org platform that "Internet.org was not sustainable to offer the whole Internet for free [because that may] cost tens of billions of dollars every year to run the Internet, and no operator could afford this if everything were free."

However, Internet.org platform is sustainable to build free basic services and applications that are simpler to use with less mobile data pack, as well as work on all low-end mobile phones.

Encryption is one of the major steps to be taken by every big technology giant in order to protect its users over the Internet, and, among those, Google has set an admirable example by gradually moving all of its online services to use strong HTTPS encryption.

To help protect privacy and security of its users, the search engine giant is moving its advertising platforms to HTTPS, as well.

Google has already moved its YouTube advertisements to HTTPS as of the end of last year, but Google has a widely spread ad network that serves ads to Hundreds of Millions of users across the Globe every day.

However, the content of those ads are mainly controlled by the advertisers, and we cannot predict their intention. To better combat this issue...

...Google will serve most of its advertisements over encrypted links by the end of June this year.

"The vast majority of mobile, desktop computer, and video display ads served to the Google Display Network, DoubleClick and AdMob publishers will be encrypted [by June 30]," Google said in a blog post.

For advertisers buying ads through Google...

...the search engine giant is also planning to make similar changes. This means:

The advertisers using any of the buying platforms, such as AdWords or DoubleClick, will have an option to serve HTTPS-encrypted display advertisements to all HTTPS-enabled inventory, such as Gmail and YouTube.

According to the company, the advertising industry could help make the Internet safer for all online users by encrypting ads. It also points to a recent post published by the Interactive Advertising Bureau (IAB), announcing that in 2015, the ad industry "needs to finish catching up" and adopt HTTPS.

Though the company didn’t provide any deeper explanation about the use of encryption in the advertising platform, the move could be a part of Google’s efforts to encrypt everything under a wider "HTTPS Everywhere" initiative.